Differential privacy is a mathematical guarantee of privacy protection. Picture a crowd: adding or removing a single person leaves the group's overall silhouette unchanged. That is precisely the promise of this technique — the output of a data analysis should stay nearly identical whether or not any given individual is part of the dataset. No one can therefore infer whether your data was used.
How it works
The core idea is to inject calibrated random noise (often drawn from a Laplace or Gaussian distribution) into queries or models. This noise masks each person's contribution while preserving the overall statistical trends. We accept a slight loss of accuracy in exchange for a rigorous guarantee.
The guarantee is governed by a parameter ε (epsilon), the "privacy budget":
$$ \Pr[\mathcal{M}(D_1) \in S] \leq e^{\varepsilon} \cdot \Pr[\mathcal{M}(D_2) \in S] $$
where $D_1$ and $D_2$ are two datasets differing by a single individual. A low ε means strong protection (much noise); a high ε means weaker protection.
The central trade-off
| Criterion | Low ε | High ε |
|---|---|---|
| Privacy | Strong | Weak |
| Noise added | Heavy | Light |
| Accuracy | Reduced | High |
- Used by the 2020 U.S. Census, Apple, Google, and Microsoft.
- Relevant to federated learning and training AI models on sensitive data.
- It does not delete data: it bounds what an attacker can learn.
Differential privacy does not hide the tree — it makes the leaf that belongs to you impossible to recognize.